Can the DOD tap gamers to prevent cyber attacks?

SRI developed Xylem, a new iPad game that taps users to test software for security vulnerabilities. Courtesy: SRI International

A new iPad game allows users to play botanist, cataloging plant life on the imaginary island of Miraflora by identifying patterns in flowers.

But working through the puzzles in “Xylem: The (Code) of Plants” does more than rack up points — it generates mathematical proofs that automatically analyze software for security vulnerabilities.

As more people play, more segments of code are verified — unlocking additional levels of the game. More interestingly, it also checks the code in unrelated software programs.

“The process finds a really solid proof that a particular piece of software doesn’t have exposures or vulnerabilities,” said John Murray, program director in the computer science laboratory at SRI International and principal investigator on the project.

The aim is to make software “more secure, more reliable and less vulnerable to failure,” he said.

The Menlo Park research powerhouse developed the game in partnership with UC Santa Cruz, under the U.S. Defense Advanced Research Projects Agency’s broader Crowd Sourced Formal Verification program. SRI will formally announce Xylem on Monday, which is available for free along with four Web-based games developed by other institutions at www.verigames.com.

The goal of the CSFV initiative is to use the lure of games to harness collective ingenuity, getting lots of people to chip in a little to the tedious task of identifying digital vulnerabilities. It’s increasingly critical to do this cheaply and efficiently, as more of our critical infrastructure moves online and cyber attacks become ever greater threats to national security and commerce.

Formal verification refers to the complicated process of analyzing software to detect exposures. Doing it well has traditionally required highly-skilled engineers manually scanning software, a slow and expensive process.

The short supply of such engineers frequently means this formal process isn’t performed, or at least not adequately. Instead, vulnerabilities are patched as they become apparent (hence Microsoft’s twice monthly “Patch Tuesday”), often after the damage is done.

“We’re seeing if we can take really hard math problems and map them onto interesting, attractive puzzle games that online players will solve for fun,” said Drew Dean, DARPA program manager, in a statement. “By leveraging players’ intelligence and ingenuity on a broad scale, we hope to reduce security analysts’ workloads and fundamentally improve the availability of formal verification.”

The games are designed to evaluate the potential for crowdsourcing formal verification. The techniques could eventually be applied to more and increasingly critical software, like medical systems, communications networks and maybe (given DARPA’s interest) military programs.

The games only verify that code is secure or flag potential problems. Humans will still have to go in and fix any discovered flaws.

So how does Xylem work?

Essentially players slide around images of flowers, numbers and mathematical symbols to identify the relationship between the growth patterns of flowers on various plants.

For instance, if there are three red flowers on one branch and six purple ones on the other, the formula would be: “image of red flower” X 2 = “image of purple flower.”

The math starts out about this simple, but gets more complicated as the game proceeds.

What’s happening behind the scenes gets tricky. But in basic terms, the number of flowers corresponds to actual variables within a bit of software, known as a loop. And the mathematical relationship among the flowers describes what is known as a loop invariant, which is used to verify that loop.

The invariant must be true going into and coming out of the loop, every time it’s executed.

Got that? No? Well, that’s kind of the point.

“It’s a hard concept to get across even to computer science students,” said Jim Whitehead, chair of computer science at UCSC, in a statement. ”By turning it into a game, it becomes something that an untrained person with basic math skills can do.”

One important unanswered question is how well this will all work in practice. But an equally important one is, how many people will play these games long enough to solve the hard problems?

CSFV isn’t the first time researchers have attempted to use game play and crowdsourcing to solve difficult challenges.

In 2008, researchers at the University of Washington released a game, known as Foldit, that challenged players to manipulate chains of amino acids into optimal shapes. In several weeks, users had produced a model of a protein that could help design antiretroverial drugs to fight the spread of HIV, according to a 2011 study in the journal Nature Structural & Molecular Biology. That task had stumped scientists and computers for a decade.

But other so called gamification techniques, like offering points, badges and leader boards to motivate workers or get people to exercise more, have had mixed success.

It turns out that the fact people like to play games doesn’t mean people like to play all games. And virtual rewards like badges aren’t always enough to motivate people to work, especially if it starts to feel like work.

There are already thousands of mobile games competing for attention — and it’s possible that crafting mathematical proofs might not prove as compelling as, say, slingshotting disgruntled birds at pigs.

But Murray says Angry Birds isn’t the model.

“The parallel I like to draw is with the game Sudoku,” he said, since it underscores the market interest in thorny math games. Still, he acknowledged it might be difficult to attain that level of popularity too.

“The puzzles we’re presenting are rather more difficult and the question is, how enthusiastic will the player be over a period of days and weeks and months,” he said.